Open source software security

Full Disclosure Policy

It has occurred to me, though my latest spate with the Drupal security team, that I need to clearly define my beliefs in full-disclosure so that there can be no misunderstanding as to my motivations. I've made attempts to outline my stance in the past, but I don't think I've given them enough attention. For this reason I wish to outline my philosophy vis a vis full-disclosure as clearly and unequivocally as possible. Thus, I believe:

1) I am not the smartest person doing vulnerability research. I have a limited amount of time to devote to security research. I believe there are black hats who are smarter than I am, who have more time than I do, who do exactly what I do. I believe it is not in the economic interest of black hats to disclose their discoveries.

2) Accepting #1 above; if I have discovered a vulnerability one must assume the black hats have discovered it.

3) Accepting #2 above; if black hats have discovered a vulnerability they are exploiting it.

4) Accepting all of the above. If I discover a vulnerability in software, there are users who are employing that software who are vulnerable to exploitation. Those users deserve to know about these vulnerabilities so they can assess whether or not they should continue to use the software, modify their use, or in other ways mitigate their risk. In other words, I believe that end users should be in full possession of the available data and allowed to make their own risk assessments. End users should not be force to wait until a fix is available. End users should know about vulnerabilities immediately so they can take steps to protect themselves (see #3 above) in the interim while a fix is being developed.

5) I believe that by posting to the full-disclosure mailing list my discovery will reach the maximum audience of end users. By providing a web accessible vulnerability report, end users have access to information about the vulnerability.

6) I have found that without proof of concept code or process many vendors do not accept that a vulnerability exists. Proof of concept will thus be provided with every vulnerability, so that it can be independently verified and so that there can be no doubt about the vulnerability.

7) I have no obligation to the software developer(s). My ethical responsibility is to end users - to inform them as soon as possible, of the fact that they may be employing software with vulnerabilities. This report should include a complete assessment of the vulnerability so that end users can evaluate their own risk based on individual circumstances. (see #4 above)

8) The concept of "responsible disclosure" is an artifact of vendor desires and does not serve the end user. Disclosure of a vulnerability empowers end users, not "bad guys" (see #1 above).

9) I receive no compensation for my efforts. The only remuneration I receive is credit for the vulnerability discovery, which is ultimately protected by a full-disclosure.

10) I believe that software vendors and/or maintainers should behave responsibly and respect the fact that I have informed them of a vulnerability in concert with the full-disclosure rather than leaving them to discover the report in the public domain by their own devices.

11) While I do not expect everyone to agree with my philosophy I do expect my peers to behave professionally and to treat objective disagreements in a mature manner. I recognize, however, that this will often not be the case.

12) I believe that I am a security researcher, not a programmer. I am best suited to finding and analyzing vulnerabilities, not fixing them. There are people more appropriate to this task, and thus I do not provide fixes as part of my vulnerability disclosures.

I have discussed my position with many of my peers and have found broad support for my position (http://www.schneier.com/essay-146.html). I see my vulnerability disclosures as a service to the open source community, albeit one that gains me much animosity. I trust, however, in the "silent majority" of end users, such as myself, who are best served by timely and thorough reports of vulnerabilities in software they utilize appreciate my efforts.